Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 49 replies
  • Subscribers 6 subscribers
  • Views 158290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anti-Virus for Mac version 9.0 Preview

bobcook

Hi everyone,

Today we published Sophos Anti-Virus for Mac version 9.0 Preview for your evaluation and use.

The headline feature for version 9.0 is Web Protection, offering protection to make web browsing safe. This is the same technology used by our corporate customers, learn more from our website: http://www.sophos.com/en-us/why-sophos/innovative-technology/web-protection.aspx

We've also worked hard to improve the existing features with a number of security and stability fixes. Version 9.0 supports Mac OS X 10.6 and up. This means we've discontinued support for all PowerPC systems and 10.4/10.5 Intel systems going forward.

This is a "preview" release. The product has passed all of our internal quality assurance testing but we are looking for additional feedback from real users in the real world. Barring any undiscovered defects, this version provides the same protection as version 8 plus protection for web browsing. The product will get regular updates too.

Download the version 9.0 Preview installer here: http://downloads.sophos.com/home-edition/savosx_90_he.zip

SHA-256 checksum of the 9.0.0 zip file: 0252e80845d38e43c9638983900d3f9a91dac4b2e9c028e787e4a8e40018d4c1

SHA-256 checksum of the 9.0.1 zip file: 4719154788e5e4251dc76bfecde842ea7fd08db32e36ecef0072335ca156bb4a

You can upgrade an existing version 8 installation, or set up a brand new installation with the same installer. Either way, just download and run the installer app. Today you need to "opt-in" by manually running the installer but later this year we'll migrate all version 8 installations.

If you find problems, please post about it here. If you don't have any problems we'd also love to hear that too. If you find a showstopper issue, please let us know and then reinstall version 8 until we can fix it.

Note that the version 8 installer is still available from our main website: http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

Regarding the Web Protection feature, you can test the two different types of protection with these two links:

URL reputation blocking: http://www.sophostest.com/ then click the "Malware" link about half-way down the page

Malicious content blocking: http://www.eicar.org/download/eicar_com.zip

In both cases, you will get a notification page instead of the real content when the protection features are enabled in the preferences.

Thanks in advance for your feedback.

:1012410


This thread was automatically locked due to age.
  • 0

    One possible issue, did a scan of my downloads folder, no threats found, but it says "Issues detected" but I can't find any way to see exactly what those issues are.

    :1012432
  • 0

    I also did a scan of my Downloads folder (lots of junk in there!).  Also reported "issues" but no threats.  I then looked in the scan log. 

    2013-06-21 13:29:23 +1000 Corrupt file: /Volumes/MacHD/Users/john/Downloads/mediawiki-1.19.2.tar.gz
    2013-06-21 13:54:08 +1000 Corrupt file: /Volumes/MacHD/Users/john/Downloads/XML/XMLSpear.dmg

    XMLSpear.dmg opens fine in Finder - no verification errors.

    mediawiki-1.19.2.tar.gz unpacks fine.

    As further tests:

    A. Downloaded the mediawiki file again and also two different versions (1.19.7 and 1.21.1) and scanned them - Sophos finds the 1.19.x files corrupt, but 1.21.1 is ok.   I got them from this Mediawiki mirror.   This does seem to be a repeatable problem with the 1.19.x files.

    B. Other tar.gz files that I have are accepted by Sophos.

    C. XMLSpear is horribly old and I don't think I could find it again  :-)

    I should add that the scan was set to scan inside archives and compressed files.

    :1012434
  • 0
    mistabaka wrote:

    One possible issue, did a scan of my downloads folder, no threats found, but it says "Issues detected" but I can't find any way to see exactly what those issues are.

    Check the scan log (Preferences > Logging > View Log File, or directly via Console). Should give a hint or suggestion what has happened. Often "issues" are files which could not be scanned (encrypted, considered corrupt, etc).

    :1012438
  • 0
    gilby101 wrote:

    A. Downloaded the mediawiki file again and also two different versions (1.19.7 and 1.21.1) and scanned them - Sophos finds the 1.19.x files corrupt, but 1.21.1 is ok.   I got them from this Mediawiki mirror.   This does seem to be a repeatable problem with the 1.19.x files.

    The scanning engine needs to "unwind" archive files in order to figure out if any of the content is suspicious or outright known malware. This process usually involves decoding the archive format then decompressing the content for further inspection. In some cases, the engine is unable to parse files successfully because its been written in a non-standard way, or its encrypted, or its been damaged. In the cases of damage, the report of "corrupt" is accurate. In cases of encrypted content, the log will call out that its encrypted (not corrupt). In the rare case, its likely because we have stumbled into something unexpected and yet still report "corrupt".

    Note that just because a given archive can be expanded doesn't necessarily imply its not corrupt (its just that some decompressors ignore decoding errors, but we generally do not). Also possible its a bug on our side. Thanks for the report and link, I'll get it reported to the right internal team.

    :1012440
  • 0

    Web Protection is a welcome addition, but I consider that there needs to be some discussion of privacy issues around this feature.  If I enable realtime URL reputation checks then there are one or more http conections to Sophos for every web page I visit.  Whilst this is providing protection it seems also provide Sophos (or anyone who taps the network connection) with a complete log of all the web pages I visit.

    At present, I feel that the privacy issues are greater than the benefits and have turned this feature off at least until I have a better understanding of exactly what is transmitted and what Sophos does with the information.

    But am I right in my understanding of how the feature operates?

    :1012482
  • 0

    Hello John,

    it seems also provide Sophos (or anyone who taps the network connection) with a complete log of all the web pages I visit

    an understandable concern but mostly unfounded. For HTTP anyone who taps the network connection can view requests for pages including headers and responses in full anyway so there's not much left that could be revealed by the lookups. The lookup itself contains just the URL (in somewhat encoded form) and the Sophos SXL version (the component which does the lookups) - nothing else, no browser info, no referrer, cookies or other data - and of course the originating IP (which could be those of a proxy) can be extracted from the connection. As repeated lookups for the same URL within a certain interval are avoided it doesn't produce a complete trail.

    Thus - all that could identify you is the IP (if you're not using a proxy) and what could be recorded is an incomplete list of URL requests. Perhaps slightly useful of someone has no other information about you and your browsing behaviour. Now compare this to the "features" you usually find on a web page: Google Analytics and other statistics and counter tools, geolocation, various buttons, advertising and so on - all these collect much more information about you   

    Christian

    :1012486
  • 0

    Christian's explanation is correct, we receive an encoded form of the URL hostname and path and the IP address of the originating computer (which might be a firewall or proxy). We don't capture any personally identifable or confidential information (we don't receive query args from the URL).

    Our Web Protection feature is like the safe browsing functionality built into Safari, Chrome, Firefox, etc.

    Additionally we periodically receive "feedback packets" - information about the performance of the software. This contains a unique identifier for your computer, but its randomly assigned when the software is installed. There is no way for Sophos to figure out which computer is yours.

    We do store the URLs that are looked up, used for statistical analysis by SophosLabs. We don't store any association between URLs and endpoints e.g. we have no way to know which computer visited which website.

    Hopefullyt that answers your concern. The most common vector for potentially malicious code to hit your computer is via the web. Surf safely, either with our product or that of someone else.

    :1012488
  • 0

    Bob & Christian,

    Thank you both for your replies and the points you have made - I will consider them carefully.  You have provided more information on what is (and is not) transmitted as well as what data you do (and don't) record.  And that does go some way to reassure me.   I am one of those people who take some steps to cover tracks (blocking Google Analytics and tracking sites) without attempting to fully hide myself. ;-)

    By the way, I have been using Sophos for Mac for a few years and everytime I consider moving to something else I always come back to knowing that Sophos for Mac meets my needs better than the competition (paid or free).  Thank you!

    :1012494
  • 0
    Hi Bob,

    Whats the RAM use of Version 9, Version 8 had an High RAM use by Open two Ort three Apps ?
    Is the intercheckprocess faster in Version 9?

    Greets Carlos
    :1012496
  • 0

    Hi carlos,

    We've squashed a few memory leaks in version 9, although I will say that RAM usage has increased because we have more software running now. We added a couple of new processes. On my Mac running 10.8.4 I see "real mem" listed as: SophosConfigD 3.9 MB, SophosSXLD 25.3 MB, SophosWebIntelligence 11.1 MB, SophosScanD 226.5 MB. SophosScanD is big because it is running the full virus detection engine. Memory usage will vary a bit over time but shouldn't rise to infinity. Memory consumption is an important consideration and something we have more work planned for future versions.

    We haven't made a lot of performance improvements to Intercheck in this update but I'm interested to hear more about how it performs for you e.g. how did you conclude its slow and what settings are you using. Thanks!

    :1012498